Linux-ARM-MSM Archive on lore.kernel.org
 help / color / Atom feed
From: mani@kernel.org
To: gregkh@linuxfoundation.org
Cc: hemantk@codeaurora.org, jhugo@codeaurora.org,
	linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Bhaumik Bhatt <bbhatt@codeaurora.org>,
	Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Subject: [PATCH 04/14] bus: mhi: core: Read transfer length from an event properly
Date: Thu, 21 May 2020 20:55:30 +0530
Message-ID: <20200521152540.17335-5-mani@kernel.org> (raw)
In-Reply-To: <20200521152540.17335-1-mani@kernel.org>

From: Hemant Kumar <hemantk@codeaurora.org>

When MHI Driver receives an EOT event, it reads xfer_len from the
event in the last TRE. The value is under control of the MHI device
and never validated by Host MHI driver. The value should never be
larger than the real size of the buffer but a malicious device can
set the value 0xFFFF as maximum. This causes driver to memory
overflow (both read or write). Fix this issue by reading minimum of
transfer length from event and the buffer length provided.

Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
---
 drivers/bus/mhi/core/main.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
index 64022865cb75..a394691d9383 100644
--- a/drivers/bus/mhi/core/main.c
+++ b/drivers/bus/mhi/core/main.c
@@ -513,7 +513,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl,
 				mhi_cntrl->unmap_single(mhi_cntrl, buf_info);
 
 			result.buf_addr = buf_info->cb_buf;
-			result.bytes_xferd = xfer_len;
+
+			/* truncate to buf len if xfer_len is larger */
+			result.bytes_xferd =
+				min_t(u16, xfer_len, buf_info->len);
 			mhi_del_ring_element(mhi_cntrl, buf_ring);
 			mhi_del_ring_element(mhi_cntrl, tre_ring);
 			local_rp = tre_ring->rp;
@@ -597,7 +600,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl,
 
 	result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ?
 		-EOVERFLOW : 0;
-	result.bytes_xferd = xfer_len;
+
+	/* truncate to buf len if xfer_len is larger */
+	result.bytes_xferd = min_t(u16, xfer_len, buf_info->len);
 	result.buf_addr = buf_info->cb_buf;
 	result.dir = mhi_chan->dir;
 
-- 
2.26.GIT


  parent reply index

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-21 15:25 [PATCH 00/14] MHI patches for v5.8 mani
2020-05-21 15:25 ` [PATCH 01/14] bus: mhi: core: Refactor mhi queue APIs mani
2020-05-21 15:25 ` [PATCH 02/14] bus: mhi: core: Cache intmod from mhi event to mhi channel mani
2020-05-21 15:25 ` [PATCH 03/14] bus: mhi: core: Add range check for channel id received in event ring mani
2020-05-21 15:25 ` mani [this message]
2020-05-21 15:25 ` [PATCH 05/14] bus: mhi: core: Handle firmware load using state worker mani
2020-05-21 15:25 ` [PATCH 06/14] bus: mhi: core: Return appropriate error codes for AMSS load failure mani
2020-05-21 15:25 ` [PATCH 07/14] bus: mhi: core: Improve debug logs for loading firmware mani
2020-05-21 15:25 ` [PATCH 08/14] bus: mhi: core: Ensure non-zero session or sequence ID values are used mani
2020-05-21 15:25 ` [PATCH 09/14] bus: mhi: core: Remove the system error worker thread mani
2020-05-21 15:25 ` [PATCH 10/14] bus: mhi: core: Handle disable transitions in state worker mani
2020-05-21 15:25 ` [PATCH 11/14] bus: mhi: core: Skip handling BHI irq if MHI reg access is not allowed mani
2020-05-21 15:25 ` [PATCH 12/14] bus: mhi: core: Do not process SYS_ERROR if RDDM is supported mani
2020-05-21 15:25 ` [PATCH 13/14] bus: mhi: core: Handle write lock properly in mhi_pm_m0_transition mani
2020-05-21 15:25 ` [PATCH 14/14] bus: mhi: core: Handle syserr during power_up mani
2020-05-21 15:29 ` [PATCH 00/14] MHI patches for v5.8 Manivannan Sadhasivam
2020-05-21 16:19   ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200521152540.17335-5-mani@kernel.org \
    --to=mani@kernel.org \
    --cc=bbhatt@codeaurora.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=hemantk@codeaurora.org \
    --cc=jhugo@codeaurora.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manivannan.sadhasivam@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-ARM-MSM Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-arm-msm/0 linux-arm-msm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-arm-msm linux-arm-msm/ https://lore.kernel.org/linux-arm-msm \
		linux-arm-msm@vger.kernel.org
	public-inbox-index linux-arm-msm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-arm-msm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git